Ransomware and malware in general are the top threat for higher education (HE) institutions, according to a survey by Jisc, which provides IT and other services to UK education. Its survey found phishing /and social engineering are the number one threat for further education (FE). Unpatched vulnerabilities take third place for both HE and FE, according to Jisc’s sixth annual survey of the sector.
Dr John Chapman, Jisc’s director of information security policy and governance, who runs the annual survey, warns that the threats remain challenging and there’s no room for complacency. Carried out in June 2022 and receiving 123 responses from UK institutions, the survey shows almost all, 97 per cent of higher education and 94pc of further education providers have cyber-security on their risk register. That’s a slight rise, of two and five percentage points respectively when compared to 2021. High numbers also regularly report on cyber-risks and resilience to their executive board; 87pc of HE and 79pc of FE institutions.
This is important, Dr Chapman says: “A robust cyber-security posture is only possible with strong leadership and we cannot emphasise that enough: board members must be accountable and responsible for cyber-security governance and risk management. Organisations where senior teams don’t understand that cyber-security is a strategic priority are less likely to have the kind of investment, robust processes and technical measures in place to defend well against the growing number of threats.”
Creating a strong cyber-security posture remains a challenge, the survey suggests. When asked: ‘How well do you feel your organisation is protected?’, HE bodies are cautious, with only about one in six (ten out of 62 institutions) scoring themselves eight or more (where ten is best protected). Perceptions are more positive in FE, where near four in ten, 39pc were scoring their organisation eight or more. Comments around this question offered by institutions responding suggest that organisations rating themselves five to seven have controls in place but understand there is always more to be done to keep up with threats.
For those scoring eight to ten, the importance of robust systems and processes were key themes, along with audits, certification and external support.
Dr John Chapman adds: “Colleges and universities are right to be circumspect about cyber-security. Certainly, there remains a minority of tertiary education providers that are not as well protected as they should be – and this is where Jisc can support. Member organisations can access our expertise and range of services to help assess and strengthen their cyber-security posture.”
Compulsory security awareness training is more common for staff than students, with 84pc of HE and 77pc of FE organisations requiring it of staff. As in previous years, FE institutions (21pc), are more likely to run compulsory student training than HE (5pc).
Dr Chapman adds: “Top threats identified by colleges and universities are similar to 2021, which is unsurprising given the persistence of ransomware attackers targeting the sector over the past two years. In 2020 there were 15 serious ransomware attacks on HE and FE providers in the UK, with 18 in 2021 and at least 11 so far this year. Accidental data breaches rank fourth on the list of threats, so I’m pleased to see an upwards trend in security awareness training, although ideally, mandatory training for students would be more widespread.”
Survey reports: data from the 2022 survey is divided into responses from FE, and higher education.
Jisc is running its 2022 security conference this week in Wales and online. Visit www.Jisc.ac.uk. Speakers include Prof Alison Wakefield, the former Security Institute chair and a University of West London criminologist. See also Jisc’s cyber blog.
